In August, Internet infrastructure company Cloudflare was one of hundreds of targets in a massive criminal phishing spree that managed to breach multiple tech companies. While some Cloudflare employees were scammed with phishing messages, the attackers were unable to dig deeper into the company’s systems. This is because as part of Cloudflare’s security controls, each employee must use a physical security key to prove their identity while logging into all applications. Weeks later, the company announced a collaboration with hardware authentication token manufacturer Yubikey to offer discount keys to Cloudflare customers.
However, Cloudflare wasn’t the only company high in security protection of its hardware tokens. Earlier this month, Apple announced hardware key support for Apple IDs, seven years after first introducing two-factor authentication for user accounts. And last week, Vivaldi browser announced hardware key support for Android.
Protection is not new, and many major platforms and companies have supported hardware key adoption for years, mandating employees to use them as Cloudflare does. But this latest surge in interest and application comes in response to a number of growing digital threats.
“Physical authentication keys are some of the most effective ways to protect against account hijacking and phishing today,” says Crane Hassold, director of threat intelligence at Abnormal Security and a former digital behavior analyst for the FBI. “If you think of it as a hierarchy, physical tokens are more effective than authentication apps, which are more effective than email verification and SMS verification.”
Hardware authentication is very secure because you have to physically own the key and generate it. This means that an online phisher cannot trick someone into giving their password or even a password plus second factor code to get into a digital account. You already know this intuitively, because that’s the whole premise of door keys. Someone will need your key to open your front door, and if you lose your key, it’s usually not the end of the world because the person who finds it won’t know which door has unlocked it. For digital accounts, there are different types of hardware keys built to the standards of a technology industry association known as the FIDO Alliance, including smart cards with a small circuit chip on it, touch cards, or fobs that use near field communication. or things like Yubikeys that plug into a port on your device.
You probably have dozens or even hundreds of digital accounts, and even if they all support hardware tokens, it will be difficult to manage physical keys for all of them. But the security and phishing resistance of hardware keys for your most valuable accounts and backup accounts for other sign-ins (i.e. your email) can mean significant peace of mind.
Meanwhile, after years of work, the tech industry has finally made great strides towards a long-promised password-free future in 2022. The movement runs behind a technology called “toggle switches”, which is also built on FIDO standards. Apple, Google, and Microsoft operating systems now support this technology, and many other platforms, browsers, and services have adopted or are in the process of adopting it. The goal is to make it easier for users to manage their digital account authentication so they don’t use insecure workarounds like weak passwords. No matter how much you wish, passwords won’t be lost anytime soon, thanks to their ubiquity. Amid all this gossip about toggle switches, hardware tokens are still an important protection option.
“FIDO positions passkeys somewhere between passwords and hardware-based FIDO authenticators, and I think that’s a fair description,” says independent privacy and security consultant Jim Fenton. “While passkeys are probably the right answer for many consumer applications, I think hardware-based authenticators will continue to have a role for higher-security applications, such as personnel in financial institutions. And more security-focused consumers are likely to have higher net worth, especially if their data has been compromised before. or if they’re only concerned with security, they should have the option to use hardware-based authenticators.”
Adding one more best practice to your digital security to-do list might be daunting at first, but hardware tokens are actually easy to set up. And using them a few times will go a long way, ahem, key accounts.